PT-2024-13606 · Apache · Apache Drill
Yuzhe Huang
·
Published
2024-07-24
·
Updated
2024-09-10
·
CVE-2023-48362
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Drill versions 1.19.0 through 1.21.1
Description
The issue allows a user to read any file on a remote file system or execute commands via a malicious XML file. This is due to an XXE vulnerability in the XML Format Plugin.
Recommendations
For Apache Drill versions 1.19.0 through 1.21.1, upgrade to version 1.21.2 to fix the issue.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Drill